Copyright © 2018 Arm TechCon, All rights reserved.
IoTエコシステムの構築と進化
–
ある開発者の話-アーム株式会社
IoTサービスグループ
セールス & 事業開発ディレクター
春田 篤志
© 2018 A rm Li m it ed.
Pelion IoT Platform
( ぺリオンIoTプラットフォーム)
IoTのコネクティビティ、デバイス、データを包括的かつセキュアに管理するプラットフォーム
• あらゆる規模のIoTデバイスおよびデータを、シームレスかつセキュアに接続、管理
• パブリックおよびプライベートクラウド、オンプレミス、ハイブリッド、いずれの環境でも動作するよう設計
アプリケーション・エコシステム
(アプリケーション開発支援)
コネクティビティ管理サービス
デバイス管理サービス
データ管理サービス
デバイス・データ
間
セキ
ュリ
テ
ィ
Pelion
エンタープライズ・
データ
+
他のデータ
3
Copyright © 2018 Arm TechCon, All rights reserved. 3
Effective device management is the key to get value from
data
Effective IoT device management
ensures data is delivered securely and
reliably from the right devices at the
right time
•
Device provisioning and onboarding
•
Device life-cycle management
•
Secure software update
•
Access control
•
Device health monitoring
Device
Management
Equipment, process, environment, parts, materials, people
Application
Insights
optimizations
responses
Application
Application
data
App
data
5
Copyright © 2018 Arm TechCon, All rights reserved.
Market opportunity
The commercial and industrial sector,
driven by building automation, industrial
automation, and lighting, will account for
nearly 50% of new connected devices
between 2018 and 2030.
Heterogeneity enablers and blockers to scale
Heterogeneity in device
classes
Multiple connectivity
methods
Heterogeneity in service
deployment
WiFi Cellular Ethernet LPWAN Bluetooth & Zigbee Bluetooth low
7
Copyright © 2018 Arm TechCon, All rights reserved.
Standards in the context of IoT
Application layer protocol
Commercial and technical drivers
A seal of approval
Defrag./Interop.
Domain specific challenges
Players’ level of interest
Propriety
Any standard
Specific standard
IOT security requires addressing complex challenges
Secure provisioning of
cryptographic device
identity at untrusted
factories
Managing public key
infrastructure used by
device identities at
scale
Device protection
and security
Renewing device
security by remote
software updates
Controlling access to
devices, services and
data by users and apps
Integration with
enterprise IT
infrastructure
Regulation
compliance and risk
9
Copyright © 2018 Arm TechCon, All rights reserved. 9
IoT Device Classes
11
Copyright © 2018 Arm TechCon, All rights reserved.
IoT Device Classes
Solving connection and deployment challenges with standards
Access to the reliable connectivity portfolio that developers need
IoT connectivity
Developers build applications
that use REST APIs
communication
→ Simplified development
→ Hardware portability
→ Products can have multiple
connectivity options
Application integration
Options for deployment
NB-IoT
Cloud Architecture
Cloud
On Premises
OpenStack
HW DC IaaS
Other
clouds
Using same SW
technologies
with cloud and
on-premises
Identical
features and
capabilities
13
Copyright © 2018 Arm TechCon, All rights reserved.
Gateways critical piece of IoT infrastructure
..through 2020, 90 percent of IoT projects will use some form of IoT gateway
Not all devices can connect (directly) to
the cloud
•
Non-IP devices
•
Legacy device with
legacy protocols
-Brown field devices
Not all data can or needs to go to cloud
•
Latency
•
Offline operation
•
Security and privacy needs
•
Data conservation
High-Level System Architecture: Cloud-hosted instances
Typical device management topology
Device
Management
Cloud
Customer
Cloud
Gateway
Customer
application server
hosted in Cloud
Traffic to
customer Cloud
kWh 139392 kWh 13939215
Copyright © 2018 Arm TechCon, All rights reserved.
Cloud orchestration
Cloud Components
Deployment View
The components and deployment of Device Management services
Kubernetes
Identity &
Access Mgmt
Update
Device Catalog
Message Bus
Connector
Billing
A P I G WLoad
b
al
an
cer
C o nt ro lle rApp
#1
App
#2
App
#3
C o nt ro lle rLoad
b
al
an
cer
Zone A
Zone B
Zone C
Kubernetes
Load balancer
controller controller controller
Load balancer
Load balancer
Cloud computing HW
Micro services
Certain industries require data to be stored in private data centers
Regulations
Private deployments may enable data to be stored more securely
Security
Enterprises need total control of their systems, data and
processes
Full control
Maintain operation in locations with limited connectivity
Technical
limitations
Enabling IoT device management business models for end-customers
Differentiation
Utilities,
Smart grid
Use cases
Usage regions
Deployment Choice - Public cloud and on-premises
17
Copyright © 2018 Arm TechCon, All rights reserved.
On-premises orchestration
On-Premises perspective to device management
HW
OpenStack
Kubernetes
Identity &
Access Mgmt
Update
Device Catalog
Message Bus
Connector
Billing
A P I G WFirewall & Load balancer
C o nt ro lle r
Core OS
Docker
registry
jumpbox
Application
#1
DNS
HSM
External
CA
NTP
SMTP
19
Copyright © 2018 Arm TechCon, All rights reserved.
PSA principles
A recipe for building a secure system from analysis to architecture
Identify key common principles
Software architecture
Common principles across
multiple use cases
Device
identity
Trusted boot
sequence
Secure
over-the-air
software
update
Certificate
based
authentication
Hardware requirements
Specifications
Threat models &
security analysis
Analyze
Firmware
architecture
& hardware
specifications
Architect
Implement
Open source code
Matching the Vulnerability with the Right Mitigation
PSA Analysis Stage
Assess the potential
vulnerabilities
Software
• buffer overflows
• interrupts
• malware
Physical
• non-invasive
• invasive
Lifecycle
• code downgrade
• ownership
changes
• unauthorized
overproduction
• Debug hacks
Communication
• man-in-the-middle
• weak RNG
• code
vulnerabilities
Physical mitigation
Software mitigation
Lifecycle mitigation
Communication mitigation
Arm SecurCore,
Arm Cortex-M35P,
CryptpCell-312P,
CryptoIsland-300P
Arm TrustZone, CMSIS-ZONE
Arm Keil MDK and Arm
processors with TrustZone
support
Arm CryptoCell &
CryptoIsland,
Arm Pelion IoT Platform,
Arm CoreLink SDC-600
Arm CryptoCell &
CryptoIsland,
21
Copyright © 2018 Arm TechCon, All rights reserved.
Device life-cycle security
Manufacturing
On-boarding
Regular Use
Configuring devices with trusted verifiable unique
cryptographic identity (“birth certificate”) at the time
of manufacturing
Commissioning – securely configuring network credentials
and operational parameters
Bootstrapping –Authenticating and configuring devices with
operational keys (“driver’s license”)
Decommissioning
Securely updating device software remotely
Monitoring device health
Controlling access to devices in the field
Removing devices from the network
Device access control and security:
How, when and who can access devices?
Devices are often installed outside of security
perimeter, but are part of an enterprise network
Device passwords are typically used to control
access to devices
Device passwords are virtually impossible to
manage
•
Often shared across devices and people
•
Create easily-exploited security backdoors
23
Copyright © 2018 Arm TechCon, All rights reserved.
Delegated access control
Overcomes inherent vulnerabilities of using passwords for device access control
Solve the problem with implementation
of IETF ACE standards
•
Authentication of users
–
Controls permissions of specific users based on
their current status in the company
•
Granular authorization
–
Grant very detailed permissions to specific users
e.g. single configuration parameter
1
2
Authorization
Server
25
Copyright © 2018 Arm TechCon, All rights reserved.
Pelion Device ManagementでIoT導入・管理を容易に
非IPデバイス
IP接続デバイス
IoTデバイス・アプリ ケーション Mbed OS Device Management クラアント デバイス内蔵のセ キュアなroot-of-trust Zigbee Bluetooth & Bluetooth low energy LPWA(Low Power Wide Area) ネットワーク接続方式
ゲートウェイ接続
WiFi セルラー イーサーネット エッジコンピューティ ング ゲートウェイ管理 マルチプロトコルデ バイスとアクセス管 理 データプロトコル 変換マネージド・ネットワーク
LPWANデバイス管理
アセット/IDの セキュア・ プロ ビジョニング 高エネルギー 効率のコネク ティビティ エンドポイント/ ゲートウェイの デバイス管理 ファームウェアの デプロイ/更新 キャンペーン エンドポイント/ ゲートウェイコン ピューティング/ アクセス管理 •サーバー •ストレージ •ルールエンジ •Web解析 •インテグレーション •独自アプリケーションユーザー企業の
アプリケーション/
サービス
Pelionデバイス管理サービス
ネットワークにつながるすべてのIoTデ
バイスを、そのライフサイクルを通して、
安全に管理
すべてのIoTデバイスを一元管理する
ことが可能
どんなデバイスも接続可能
パブリックからオンプレミスまであらゆる
クラウドに対応
安全なアセットや IDのプロビジョニ エネルギー効率 の高い通信接続 ゲートウェイ両方にエンドポイントと ファームウエア アップデート エンドポイント/ゲートウェイアクセス管理 (開発者用管理画面)© 2018 A rm Li m it ed.